!

"#$"% '"()*+
,-)%.)/"+ 01%23+#"%#
4221.)"#* ,-15*221- "# 647
8"-.)% 9)*+:12;*<2=)
>*.3-)#? @%:)%**-
8ellance on Lools can = lall!
Many more people Lesung web apps
vendors play caLch-up
Success ls on your shoulders
ulmculL cases
Als and speclallzed daLa formaLs
Sequenced operauons
8andomlzed daLa
Language speclc
Cb[ecL-orlenLed
8yLe complled
lasL
Wlde supporL
Many securlLy Lools wrluen ln yLhon
lenLy of help avallable
lenLy of resources for learnlng avallable
w3af
Splkeroxy
sqlmap
roxySLrlke
waplu
sulley
each
Canvas
yscan
ue8laze
Scapy
MonkeyllsL
capy
Mynav
ldapyLhon
CyLhon
hup://pyLhon.org
!yLhon
hup://[yLhon.org
lronyLhon
hup://lronpyLhon.neL
SLarL wlLh hup://pyLhon.org
hup://docs.pyLhon.org/
hup://docs.pyLhon.org/LuLorlal/lndex.hLml
Coogle's yLhon Class
hup://code.google.com/edu/languages/google-
pyLhon-class/
1here are dlerences beLween yLhon 2.x and
3.x
Walk llke a duck and quack llke a duck
>#"%A"-A B)C
hupllb
urlllb / urlllb2
urlparse
P1MLarser
sLrucL
xml
[son (yLhon 2.6)
dlMlb
D
-A
,"-#?
hupllb2
lxml
zsl / suds
yAMl
pydermonkey
1wlsLed
hupllb
SLandard P11 Module
Cood for CL1s and CS1s
P11 / P11S supporL
hupllb2
Lxpanded P11 meLhod supporL
SupporLs varlous auLh meLhods
AuLomaucally follows 3xx redlrecLs
urlllb
Plgh level module for openlng resources
Pas u8L encodlng capablllues
urlllb2
Lxpanded supporL for handlers
Merged ln yLhon 3 along wlLh urlparse
Lxamples
erform Lransluon maglc
u8L encodlng and Lscaplng
SLrlng meLhods (base64 / hex / roL13, eLc)
uaLa represenLauons (declmals / enuues / eLc)
uharmaLncoder
rovldes meLhods Lo encode and wrap values
hup://hexsec.com/labs
uo Lhe legwork
know your app
know your parameLers
know your daLa
Work smarLer
CreaLe accuraLe ranges
lLerLools meLhods
uon'L empLy Lhe cllp
Web fuzzlng llb for yLhon
hup://code.google.com/p/pywebfuzz/
usable ln yLhon 2.x
Lasy Lo dlsLrlbuLable and repeaL LesLs
Convenlence
luzzdb values accesslble Lhrough classes
8equesL Loglc
8ange generauon and encodlng /decodlng
8aslc requesL fuzzlng
llndlng an error condluon
llrsL Lhlngs rsL
ueLermlne conLenL Lype, use approprlaLe parser
uon'L use P1MLarser
lf hLml:
use lxml.hLml
ellf xhLml:
use lxml.eLree
ellf xml:
use lxml.eLree
ellf [son:
use [son
SLaLe lssues
AccounL logln / logouL
8andomlzed values
MalnLalnlng proper sLaLe whlle Lesung
8equesL
rocess headers (referer and cookles)
unable Lo parse conLenL properly
8esorL Lo regular expresslons
Selenlum
hup://selenlumhq.org/
Wlndmlll
hup://www.geLwlndmlll.com/
llrefox / xuL8unner
pyxpcomexL
hup://pyxpcomexL.mozdev.org/no_wrap/LuLorlals/pyxulrunner/
pyLhon_xulrunner_abouL.hLml
WebklL
yCLk / yWebklLCLk
hup://code.google.com/p/pywebklLgLk/
yC1
hup://wlkl.pyLhon.org/moln/yCL4
ySlde (Cmclal SupporL from nokla)
hup://www.pyslde.org/
8ender reLurned requesLs from oLher llbs ln
[usL a couple of llnes of code
from PyQt4.QtGui import *
from PyQt4.QtWebKit import *
import httplib2
http = httplib2.Http()
headers, content = http.request("http://python.org", "GET")
app = QApplication(sys.argv)
web = QWebView()web.setHtml(content)
web.show()
sys.exit(app.exec_())
1radluonal
ZSl
Suds
8LS1ful
8oLh Plgh and Low 8esL
hupllb
hupllb2
Lxample
ldenufy lssues passlvely
Cookle lssues
Cache-conLrol
Lncodlng lssues
AugmenL oLher Lools
erform lnspecuon on capLured daLa
use your favorlLe lnspecuon proxy
no need Lo send daLa Lo endpolnL
yAMl ls mosL popular
Acuon Message lormaL encoder/decoder
CreaLe remoung cllenLs, gaLeways
8lnd cllenL-slde classes Lo server-slde C!Cs
SLarL wlLh a slmple yLhon deslgn pauern
"#$%% &$"'()*+(,-."'/0
1.2 33454'33+%.#26 7$)8%6 779:$)8%/0
%.#2;3314"'33;<=1$'.+9:$)8%/
=*$>2;).84%'.)3"#$%%+&$"'()*6
?5$>.%=$".;(2;(,-."';@#$%%?/
?ou're presenLed wlLh an app LhaL
communlcaLes vla a cusLom blnary proLocol
Ch whaL Lo do wlLhouL my scanner.
ConverL beLween yLhon values and C sLrucLs
U8 = unsigned 8-byte integer
U16 = unsigned 16-byte integer
UTF-8 = U16 * (UTF8-char) ; as defined in RFC3629
DOUBLE = 8-byte IEEE-754 double precision
; floating point in network byte order
msg = message-count parameters
message-count = U16
parameters = number-type | boolean-type | string-type
number-marker = 0x00
boolean-marker = 0x01
string-marker = 0x02
number-type = number-marker DOUBLE
boolean-type = boolean-marker U8
string-type = string-marker UTF-8
WrlLe Lhe approprlaLe Lype-marker Lo buer
lollowed by Lhe value as a uouble
,<2;:)4'.+?ABCC?/
,<2;:)4'.+%')<"';=$"9+?D1?6 E$#/
8eadlng ls [usL Lhe opposlLe
SLrucL unpacks lnLo a 1uple
:F4#. =(% G #.5+,<2/0
;;%54=;;
42 ,<2H=(%I JJ ?ACBCC?0
=(% KJ L
E$# J %')<"';<5=$"9+?D1?6 ,<2H=(%0=(%KMI/HCI
=(% KJ M
Wrlung a 8oolean
1.2 :)4'.3,((#+,<26 E$#/0
,<2;:)4'.+?ABCL?/
,<2;:)4'.+%')<"';=$"9+?N?6 E$#//
arslng a 8oolean
:F4#. =(% G #.5+,<2/ K L0
;;%54=;;
42 ,<2H=(%I JJ ?ACBCL?0
=(% KJ L
E$# J %')<"';<5=$"9+?N?6 ,<2H=(%I/HCI
=(% KJ L
Wrlung a SLrlng
1.2 :)4'.3%')458+,<26 E$#/0
< J E$#;.5"(1.+?<'2OM?/
%')#.5 J #.5+</
,<2;:)4'.+?ABCP?/
,<2;:)4'.+?QR1%? R %')#.56 %')#.56 </
arslng a SLrlng
:F4#. =(% G #.5+,<2/ K L0
;;%54=;;
42 ,<2H=(%I JJ ?ACBCP?0
=(% KJ L
%3#.5 J %')<"';<5=$"9+?Q?6 ,<2H=(%0=(%KPI/HCI
=(% KJ P
E$# J %')<"';<5=$"9+?R1%? R %')#.56 ,<2H=(%0=(%K%3#.5I/HCI
=(% KJ %3#.5
?ou may have nouced LhaL we wroLe a slmple
sLaLe-machlne
A :F4#. loop LhaL lLeraLes over a buer,
keeplng Lrack of Lhe sLaLe lL's ln
Pere's a cookle: <cookle plc here>
1.2 1."(1.+,<2/0
%'$'. J ?STUVT?
:F4#. =(% G #.5+,<2/0
42 %'$'. JJ ?STUVT?0 W 8.' >.%%$8. "(<5'
.#42 %'$'. JJ ?XUVYZV?0 W =$)%. >$)9.)
.#42 %'$'. JJ ?[\X]ZV?0 W =$)%. 5<>,.)
.#42 %'$'. JJ ?]^^_?0 W =$)%. ,((#.$5
.#42 %'$'. JJ ?STV`[a?0 W =$)%. %')458